Add an API for other QUIC stacks to use our TLS implementation

author Matt Caswell <matt@openssl.org>

Tue, 20 Aug 2024 14:09:17 +0000 (15:09 +0100)

committer Matt Caswell <matt@openssl.org>

Tue, 11 Feb 2025 17:17:10 +0000 (17:17 +0000)
author Matt Caswell <matt@openssl.org>
Tue, 20 Aug 2024 14:09:17 +0000 (15:09 +0100)
committer Matt Caswell <matt@openssl.org>
Tue, 11 Feb 2025 17:17:10 +0000 (17:17 +0000)
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt

index 56554f5233714d2273e53752fb507fd57408618c..decf2d6f2ec42dbded5f8d45dde1a08d84b3c143 100644 (file)
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -1,4 +1,4 @@
-# Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 1999-2025 The OpenSSL Project Authors. All Rights Reserved.
  #
  # Licensed under the Apache License 2.0 (the "License").  You may not use
  # this file except in compliance with the License.  You can obtain a copy
@@ -1489,6 +1489,7 @@ SSL_R_MISSING_ECDSA_SIGNING_CERT:381:missing ecdsa signing cert
  SSL_R_MISSING_FATAL:256:missing fatal
  SSL_R_MISSING_PARAMETERS:290:missing parameters
  SSL_R_MISSING_PSK_KEX_MODES_EXTENSION:310:missing psk kex modes extension
+SSL_R_MISSING_QUIC_TLS_FUNCTIONS:421:missing quic tls functions
  SSL_R_MISSING_RSA_CERTIFICATE:168:missing rsa certificate
  SSL_R_MISSING_RSA_ENCRYPTING_CERT:169:missing rsa encrypting cert
  SSL_R_MISSING_RSA_SIGNING_CERT:170:missing rsa signing cert
diff --git a/include/internal/quic_tls.h b/include/internal/quic_tls.h

index f9f007a76cc475ee8a29f6a0b7e42fcf5b7b170f..70a99a294c3752462a6cd427f8d8d7c0183f2ca5 100644 (file)
--- a/include/internal/quic_tls.h
+++ b/include/internal/quic_tls.h
@@ -45,8 +45,11 @@ typedef struct quic_tls_args_st {
      void *crypto_release_rcd_cb_arg;
  
  
-    /* Called when a traffic secret is available for a given encryption level. */
-    int (*yield_secret_cb)(uint32_t enc_level, int direction /* 0=RX, 1=TX */,
+    /*
+     * Called when a traffic secret is available for a given TLS protection
+     * level.
+     */
+    int (*yield_secret_cb)(uint32_t prot_level, int direction /* 0=RX, 1=TX */,
                             uint32_t suite_id, EVP_MD *md,
                             const unsigned char *secret, size_t secret_len,
                             void *arg);
@@ -82,12 +85,17 @@ typedef struct quic_tls_args_st {
  
      /* Set to 1 if we are running in the server role. */
      int is_server;
+
+    /* Set to 1 if this is an internal use of the QUIC TLS */
+    int ossl_quic;
  } QUIC_TLS_ARGS;
  
  QUIC_TLS *ossl_quic_tls_new(const QUIC_TLS_ARGS *args);
  
  void ossl_quic_tls_free(QUIC_TLS *qtls);
  
+int ossl_quic_tls_configure(QUIC_TLS *qtls);
+
  /* Advance the state machine */
  int ossl_quic_tls_tick(QUIC_TLS *qtls);
  
diff --git a/include/internal/recordmethod.h b/include/internal/recordmethod.h

index 53bd4ca6d2b11cb956c40b75dc1ff9599f3ce3fb..6f46e19f0a19bbe8bac5d7f44cba6a4c3f889f83 100644 (file)
--- a/include/internal/recordmethod.h
+++ b/include/internal/recordmethod.h
@@ -43,14 +43,6 @@ typedef struct ossl_record_layer_st OSSL_RECORD_LAYER;
  # define OSSL_RECORD_DIRECTION_READ  0
  # define OSSL_RECORD_DIRECTION_WRITE 1
  
-/*
- * Protection level. For <= TLSv1.2 only "NONE" and "APPLICATION" are used.
- */
-# define OSSL_RECORD_PROTECTION_LEVEL_NONE        0
-# define OSSL_RECORD_PROTECTION_LEVEL_EARLY       1
-# define OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE   2
-# define OSSL_RECORD_PROTECTION_LEVEL_APPLICATION 3
-
  # define OSSL_RECORD_RETURN_SUCCESS           1
  # define OSSL_RECORD_RETURN_RETRY             0
  # define OSSL_RECORD_RETURN_NON_FATAL_ERR    -1
diff --git a/include/openssl/core_dispatch.h b/include/openssl/core_dispatch.h

index 2be592d9362d7605c1815bb7002338a2dd7e55d7..fa2e7f33035ddac2d6e2c3c6dd3daedccfe18f30 100644 (file)
--- a/include/openssl/core_dispatch.h
+++ b/include/openssl/core_dispatch.h
@@ -274,6 +274,30 @@ OSSL_CORE_MAKE_FUNC(int, provider_random_bytes, (void *provctx, int which,
                                                   void *buf, size_t n,
                                                   unsigned int strength))
  
+/* Libssl related functions */
+#define OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_SEND          2001
+OSSL_CORE_MAKE_FUNC(int, SSL_QUIC_TLS_crypto_send,
+                    (SSL *s, const unsigned char *buf, size_t buf_len,
+                     size_t *consumed, void *arg))
+#define OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RECV_RCD      2002
+OSSL_CORE_MAKE_FUNC(int, SSL_QUIC_TLS_crypto_recv_rcd,
+                    (SSL *s, const unsigned char **buf, size_t *bytes_read,
+                     void *arg))
+#define OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RELEASE_RCD   2003
+OSSL_CORE_MAKE_FUNC(int, SSL_QUIC_TLS_crypto_release_rcd,
+                    (SSL *s, size_t bytes_read, void *arg))
+#define OSSL_FUNC_SSL_QUIC_TLS_YIELD_SECRET         2004
+OSSL_CORE_MAKE_FUNC(int, SSL_QUIC_TLS_yield_secret,
+                    (SSL *s, uint32_t prot_level, int direction,
+                     const unsigned char *secret, size_t secret_len, void *arg))
+#define OSSL_FUNC_SSL_QUIC_TLS_GOT_TRANSPORT_PARAMS 2005
+OSSL_CORE_MAKE_FUNC(int, SSL_QUIC_TLS_got_transport_params,
+                    (SSL *s, const unsigned char *params, size_t params_len,
+                     void *arg))
+#define OSSL_FUNC_SSL_QUIC_TLS_ALERT                2006
+OSSL_CORE_MAKE_FUNC(int, SSL_QUIC_TLS_alert,
+                    (SSL *s, unsigned char alert_code, void *arg))
+
  /* Operations */
  
  # define OSSL_OP_DIGEST                              1
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in

index 5da1cde698db582efd92e7a04ecd53595bd8d903..7659917b5fce7b39389551b16765b77ffb4c56e7 100644 (file)
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -2825,6 +2825,19 @@ __owur int SSL_get0_server_cert_type(const SSL *s, unsigned char **t, size_t *le
  __owur int SSL_CTX_get0_client_cert_type(const SSL_CTX *ctx, unsigned char **t, size_t *len);
  __owur int SSL_CTX_get0_server_cert_type(const SSL_CTX *s, unsigned char **t, size_t *len);
  
+/*
+ * Protection level. For <= TLSv1.2 only "NONE" and "APPLICATION" are used.
+ */
+# define OSSL_RECORD_PROTECTION_LEVEL_NONE        0
+# define OSSL_RECORD_PROTECTION_LEVEL_EARLY       1
+# define OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE   2
+# define OSSL_RECORD_PROTECTION_LEVEL_APPLICATION 3
+
+int SSL_set_quic_tls_cbs(SSL *s, const OSSL_DISPATCH *qtdis, void *arg);
+int SSL_set_quic_tls_transport_params(SSL *s,
+                                      const unsigned char *params,
+                                      size_t params_len);
+
  # ifdef  __cplusplus
  }
  # endif
diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h

index d6ae547876b45dc264698e1897eab86b63fffc03..ea46d924795fd8fb69149702399b255ca4cd8a17 100644 (file)
--- a/include/openssl/sslerr.h
+++ b/include/openssl/sslerr.h
@@ -1,6 +1,6 @@
  /*
   * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
   *
   * Licensed under the Apache License 2.0 (the "License").  You may not use
   * this file except in compliance with the License.  You can obtain a copy
@@ -172,6 +172,7 @@
  # define SSL_R_MISSING_FATAL                              256
  # define SSL_R_MISSING_PARAMETERS                         290
  # define SSL_R_MISSING_PSK_KEX_MODES_EXTENSION            310
+# define SSL_R_MISSING_QUIC_TLS_FUNCTIONS                 421
  # define SSL_R_MISSING_RSA_CERTIFICATE                    168
  # define SSL_R_MISSING_RSA_ENCRYPTING_CERT                169
  # define SSL_R_MISSING_RSA_SIGNING_CERT                   170
diff --git a/ssl/quic/build.info b/ssl/quic/build.info

index 191342ea1b19e2cf2f74c56f7bd53353f1d5421d..88ddc5363b0962c91b2c7ad3da91a26163280c59 100644 (file)
--- a/ssl/quic/build.info
+++ b/ssl/quic/build.info
@@ -11,7 +11,7 @@ SOURCE[$LIBSSL]=quic_sf_list.c quic_rstream.c quic_sstream.c
  SOURCE[$LIBSSL]=quic_reactor.c
  SOURCE[$LIBSSL]=quic_channel.c quic_port.c quic_engine.c
  SOURCE[$LIBSSL]=quic_tserver.c
-SOURCE[$LIBSSL]=quic_tls.c
+SOURCE[$LIBSSL]=quic_tls.c quic_tls_api.c
  SOURCE[$LIBSSL]=quic_thread_assist.c
  SOURCE[$LIBSSL]=quic_trace.c
  SOURCE[$LIBSSL]=quic_srtm.c quic_srt_gen.c
diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c

index 396cbe8461da2a0e08079a2291b45f244cdb132e..b28a4917765fb4cdc31471d0a87830a4c3fb27a6 100644 (file)
--- a/ssl/quic/quic_channel.c
+++ b/ssl/quic/quic_channel.c
@@ -68,7 +68,7 @@ static int ch_on_transport_params(const unsigned char *params,
                                    void *arg);
  static int ch_on_handshake_alert(void *arg, unsigned char alert_code);
  static int ch_on_handshake_complete(void *arg);
-static int ch_on_handshake_yield_secret(uint32_t enc_level, int direction,
+static int ch_on_handshake_yield_secret(uint32_t prot_level, int direction,
                                          uint32_t suite_id, EVP_MD *md,
                                          const unsigned char *secret,
                                          size_t secret_len,
@@ -333,6 +333,7 @@ static int ch_init(QUIC_CHANNEL *ch)
      tls_args.alert_cb                   = ch_on_handshake_alert;
      tls_args.alert_cb_arg               = ch;
      tls_args.is_server                  = ch->is_server;
+    tls_args.ossl_quic                  = 1;
  
      if ((ch->qtls = ossl_quic_tls_new(&tls_args)) == NULL)
          goto err;
@@ -946,7 +947,7 @@ static int ch_on_crypto_release_record(size_t bytes_read, void *arg)
      return ossl_quic_rstream_release_record(rstream, bytes_read);
  }
  
-static int ch_on_handshake_yield_secret(uint32_t enc_level, int direction,
+static int ch_on_handshake_yield_secret(uint32_t prot_level, int direction,
                                          uint32_t suite_id, EVP_MD *md,
                                          const unsigned char *secret,
                                          size_t secret_len,
@@ -954,6 +955,25 @@ static int ch_on_handshake_yield_secret(uint32_t enc_level, int direction,
  {
      QUIC_CHANNEL *ch = arg;
      uint32_t i;
+    uint32_t enc_level;
+
+    /* Convert TLS protection level to QUIC encryption level */
+    switch (prot_level) {
+    case OSSL_RECORD_PROTECTION_LEVEL_EARLY:
+        enc_level = QUIC_ENC_LEVEL_0RTT;
+        break;
+
+    case OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE:
+        enc_level = QUIC_ENC_LEVEL_HANDSHAKE;
+        break;
+
+    case OSSL_RECORD_PROTECTION_LEVEL_APPLICATION:
+        enc_level = QUIC_ENC_LEVEL_1RTT;
+        break;
+
+    default:
+        return 0;
+    }
  
      if (enc_level < QUIC_ENC_LEVEL_HANDSHAKE || enc_level >= QUIC_ENC_LEVEL_NUM)
          /* Invalid EL. */
diff --git a/ssl/quic/quic_tls.c b/ssl/quic/quic_tls.c

index bd560c9a91a3091316303c0cead52ec12c10f8b5..5de711ab06ed410f56000931ceb3e1d9c19e968c 100644 (file)
--- a/ssl/quic/quic_tls.c
+++ b/ssl/quic/quic_tls.c
@@ -103,7 +103,6 @@ quic_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
                        OSSL_RECORD_LAYER **retrl)
  {
      OSSL_RECORD_LAYER *rl = OPENSSL_zalloc(sizeof(*rl));
-    uint32_t enc_level;
      int qdir;
      uint32_t suite_id = 0;
  
@@ -135,51 +134,41 @@ quic_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers,
          }
      }
  
-    switch (level) {
-    case OSSL_RECORD_PROTECTION_LEVEL_NONE:
+    if (level == OSSL_RECORD_PROTECTION_LEVEL_NONE)
          return 1;
  
-    case OSSL_RECORD_PROTECTION_LEVEL_EARLY:
-        enc_level = QUIC_ENC_LEVEL_0RTT;
-        break;
-
-    case OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE:
-        enc_level = QUIC_ENC_LEVEL_HANDSHAKE;
-        break;
-
-    case OSSL_RECORD_PROTECTION_LEVEL_APPLICATION:
-        enc_level = QUIC_ENC_LEVEL_1RTT;
-        break;
-
-    default:
-        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
-        goto err;
-    }
-
      if (direction == OSSL_RECORD_DIRECTION_READ)
          qdir = 0;
      else
          qdir = 1;
  
-    if (EVP_CIPHER_is_a(ciph, "AES-128-GCM")) {
-        suite_id = QRL_SUITE_AES128GCM;
-    } else if (EVP_CIPHER_is_a(ciph, "AES-256-GCM")) {
-        suite_id = QRL_SUITE_AES256GCM;
-    } else if (EVP_CIPHER_is_a(ciph, "CHACHA20-POLY1305")) {
-        suite_id = QRL_SUITE_CHACHA20POLY1305;
-    } else {
-        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_CIPHER_TYPE);
-        goto err;
-    }
+    if (rl->qtls->args.ossl_quic) {
+        /*
+         * We only look up the suite_id/MD for internal callers. Not used in the
+         * public API. We assume that a 3rd party QUIC stack will want to
+         * figure this out by itself (e.g. so that they could add new
+         * ciphersuites at a different pace to us)
+         */
+        if (EVP_CIPHER_is_a(ciph, "AES-128-GCM")) {
+            suite_id = QRL_SUITE_AES128GCM;
+        } else if (EVP_CIPHER_is_a(ciph, "AES-256-GCM")) {
+            suite_id = QRL_SUITE_AES256GCM;
+        } else if (EVP_CIPHER_is_a(ciph, "CHACHA20-POLY1305")) {
+            suite_id = QRL_SUITE_CHACHA20POLY1305;
+        } else {
+            QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_CIPHER_TYPE);
+            goto err;
+        }
  
-    /* We pass a ref to the md in a successful yield_secret_cb call */
-    /* TODO(QUIC FUTURE): This cast is horrible. We should try and remove it */
-    if (!EVP_MD_up_ref((EVP_MD *)kdfdigest)) {
-        QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
-        goto err;
+        /* We pass a ref to the md in a successful yield_secret_cb call */
+        /* TODO(QUIC FUTURE): This cast is horrible. We should try and remove it */
+        if (!EVP_MD_up_ref((EVP_MD *)kdfdigest)) {
+            QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+            goto err;
+        }
      }
  
-    if (!rl->qtls->args.yield_secret_cb(enc_level, qdir, suite_id,
+    if (!rl->qtls->args.yield_secret_cb(level, qdir, suite_id,
                                          (EVP_MD *)kdfdigest, secret, secretlen,
                                          rl->qtls->args.yield_secret_cb_arg)) {
          QUIC_TLS_FATAL(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
@@ -698,6 +687,33 @@ static int raise_error(QUIC_TLS *qtls, uint64_t error_code,
  #define RAISE_INTERNAL_ERROR(qtls) \
      RAISE_ERROR((qtls), OSSL_QUIC_ERR_INTERNAL_ERROR, "internal error")
  
+int ossl_quic_tls_configure(QUIC_TLS *qtls)
+{
+    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(qtls->args.s);
+
+    if (!SSL_set_min_proto_version(qtls->args.s, TLS1_3_VERSION))
+        return RAISE_INTERNAL_ERROR(qtls);
+
+    SSL_clear_options(qtls->args.s, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
+    ossl_ssl_set_custom_record_layer(sc, &quic_tls_record_method, qtls);
+
+    if (!ossl_tls_add_custom_ext_intern(NULL, &sc->cert->custext,
+                                        qtls->args.is_server ? ENDPOINT_SERVER
+                                                                : ENDPOINT_CLIENT,
+                                        TLSEXT_TYPE_quic_transport_parameters,
+                                        SSL_EXT_TLS1_3_ONLY
+                                        | SSL_EXT_CLIENT_HELLO
+                                        | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
+                                        add_transport_params_cb,
+                                        free_transport_params_cb, qtls,
+                                        parse_transport_params_cb, qtls))
+        return 0;
+
+    sc->s3.flags |= TLS1_FLAGS_QUIC;
+
+    return 1;
+}
+
  int ossl_quic_tls_tick(QUIC_TLS *qtls)
  {
      int ret, err;
@@ -749,22 +765,8 @@ int ossl_quic_tls_tick(QUIC_TLS *qtls)
                  return RAISE_ERROR(qtls, OSSL_QUIC_ERR_CRYPTO_NO_APP_PROTO,
                                     "ALPN must be configured when using QUIC");
          }
-        if (!SSL_set_min_proto_version(qtls->args.s, TLS1_3_VERSION))
-            return RAISE_INTERNAL_ERROR(qtls);
  
-        SSL_clear_options(qtls->args.s, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
-        ossl_ssl_set_custom_record_layer(sc, &quic_tls_record_method, qtls);
-
-        if (!ossl_tls_add_custom_ext_intern(NULL, &sc->cert->custext,
-                                            qtls->args.is_server ? ENDPOINT_SERVER
-                                                                 : ENDPOINT_CLIENT,
-                                            TLSEXT_TYPE_quic_transport_parameters,
-                                            SSL_EXT_TLS1_3_ONLY
-                                            | SSL_EXT_CLIENT_HELLO
-                                            | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
-                                            add_transport_params_cb,
-                                            free_transport_params_cb, qtls,
-                                            parse_transport_params_cb, qtls))
+        if (!ossl_quic_tls_configure(qtls))
              return RAISE_INTERNAL_ERROR(qtls);
  
          nullbio = BIO_new(BIO_s_null());
diff --git a/ssl/quic/quic_tls_api.c b/ssl/quic/quic_tls_api.c

new file mode 100644 (file)

index 0000000..504cfe3
--- /dev/null
+++ b/ssl/quic/quic_tls_api.c
@@ -0,0 +1,187 @@
+/*
+ * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/ssl.h>
+#include "internal/quic_tls.h"
+#include "../ssl_local.h"
+
+static int crypto_send_cb(const unsigned char *buf, size_t buf_len,
+                          size_t *consumed, void *arg)
+{
+    SSL *s = (SSL *)arg;
+    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
+
+    if (sc == NULL)
+        return 0;
+    return sc->qtcb.crypto_send_cb(s, buf, buf_len, consumed, sc->qtarg);
+}
+
+static int crypto_recv_rcd_cb(const unsigned char **buf, size_t *bytes_read,
+                              void *arg)
+{
+    SSL *s = (SSL *)arg;
+    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
+
+    if (sc == NULL)
+        return 0;
+    return sc->qtcb.crypto_recv_rcd_cb(s, buf, bytes_read, sc->qtarg);
+}
+
+static int crypto_release_rcd_cb(size_t bytes_read, void *arg)
+{
+    SSL *s = (SSL *)arg;
+    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
+
+    if (sc == NULL)
+        return 0;
+    return sc->qtcb.crypto_release_rcd_cb(s, bytes_read, sc->qtarg);
+}
+static int yield_secret_cb(uint32_t prot_level, int direction,
+                           uint32_t suite_id, EVP_MD *md,
+                           const unsigned char *secret, size_t secret_len,
+                           void *arg)
+{
+    SSL *s = (SSL *)arg;
+    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
+
+    if (sc == NULL)
+        return 0;
+    return sc->qtcb.yield_secret_cb(s, prot_level, direction,
+                                    secret, secret_len, sc->qtarg);
+}
+
+static int got_transport_params_cb(const unsigned char *params,
+                                   size_t params_len,
+                                   void *arg)
+{
+    SSL *s = (SSL *)arg;
+    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
+
+    if (sc == NULL)
+        return 0;
+    return sc->qtcb.got_transport_params_cb(s, params, params_len, sc->qtarg);
+}
+
+static int alert_cb(void *arg, unsigned char alert_code)
+{
+    SSL *s = (SSL *)arg;
+    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
+
+    if (sc == NULL)
+        return 0;
+    return sc->qtcb.alert_cb(s, alert_code, sc->qtarg);
+}
+
+static int tls_callbacks_from_dispatch(OSSL_QUIC_TLS_CALLBACKS *qtcb,
+                                       const OSSL_DISPATCH *qtdis)
+{
+    for (; qtdis->function_id != 0; qtdis++) {
+        switch (qtdis->function_id) {
+        case OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_SEND:
+            if (qtcb->crypto_send_cb == NULL)
+                qtcb->crypto_send_cb = OSSL_FUNC_SSL_QUIC_TLS_crypto_send(qtdis);
+            break;
+        case OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RECV_RCD:
+            if (qtcb->crypto_recv_rcd_cb == NULL)
+                qtcb->crypto_recv_rcd_cb =
+                    OSSL_FUNC_SSL_QUIC_TLS_crypto_recv_rcd(qtdis);
+            break;
+        case OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RELEASE_RCD:
+            if (qtcb->crypto_release_rcd_cb == NULL)
+                qtcb->crypto_release_rcd_cb =
+                    OSSL_FUNC_SSL_QUIC_TLS_crypto_release_rcd(qtdis);
+            break;
+        case OSSL_FUNC_SSL_QUIC_TLS_YIELD_SECRET:
+            if (qtcb->yield_secret_cb == NULL)
+                qtcb->yield_secret_cb =
+                    OSSL_FUNC_SSL_QUIC_TLS_yield_secret(qtdis);
+            break;
+        case OSSL_FUNC_SSL_QUIC_TLS_GOT_TRANSPORT_PARAMS:
+            if (qtcb->got_transport_params_cb == NULL)
+                qtcb->got_transport_params_cb =
+                    OSSL_FUNC_SSL_QUIC_TLS_got_transport_params(qtdis);
+            break;
+        case OSSL_FUNC_SSL_QUIC_TLS_ALERT:
+            if (qtcb->alert_cb == NULL)
+                qtcb->alert_cb =
+                    OSSL_FUNC_SSL_QUIC_TLS_alert(qtdis);
+            break;
+        }
+    }
+
+    if (qtcb->crypto_send_cb == NULL
+            || qtcb->crypto_recv_rcd_cb == NULL
+            || qtcb->crypto_release_rcd_cb == NULL
+            || qtcb->yield_secret_cb == NULL
+            || qtcb->got_transport_params_cb == NULL
+            || qtcb->alert_cb == NULL) {
+        ERR_raise(ERR_LIB_SSL, SSL_R_MISSING_QUIC_TLS_FUNCTIONS);
+        return 0;
+    }
+
+    return 1;
+}
+
+int SSL_set_quic_tls_cbs(SSL *s, const OSSL_DISPATCH *qtdis, void *arg)
+{
+    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
+    QUIC_TLS_ARGS qtlsargs;
+
+    if (!SSL_is_tls(s)) {
+        ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+        return 0;
+    }
+
+    if (!tls_callbacks_from_dispatch(&sc->qtcb, qtdis))
+        /* ERR_raise already called*/
+        return 0;
+
+    sc->qtarg = arg;
+
+    ossl_quic_tls_free(sc->qtls);
+    qtlsargs.s = s;
+    qtlsargs.crypto_send_cb = crypto_send_cb;
+    qtlsargs.crypto_send_cb_arg = s;
+    qtlsargs.crypto_recv_rcd_cb = crypto_recv_rcd_cb;
+    qtlsargs.crypto_recv_rcd_cb_arg = s;
+    qtlsargs.crypto_release_rcd_cb = crypto_release_rcd_cb;
+    qtlsargs.crypto_release_rcd_cb_arg = s;
+    qtlsargs.yield_secret_cb = yield_secret_cb;
+    qtlsargs.yield_secret_cb_arg = s;
+    qtlsargs.got_transport_params_cb = got_transport_params_cb;
+    qtlsargs.got_transport_params_cb_arg = s;
+    qtlsargs.handshake_complete_cb = NULL;
+    qtlsargs.handshake_complete_cb_arg = NULL;
+    qtlsargs.alert_cb = alert_cb;
+    qtlsargs.alert_cb_arg = s;
+    qtlsargs.is_server = sc->server;
+    qtlsargs.ossl_quic = 0;
+    sc->qtls = ossl_quic_tls_new(&qtlsargs);
+    if (sc->qtls == NULL)
+        return 0;
+
+    if (!ossl_quic_tls_configure(sc->qtls))
+        return 0;
+
+    return 1;
+}
+
+int SSL_set_quic_tls_transport_params(SSL *s,
+                                      const unsigned char *params,
+                                      size_t params_len)
+{
+    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
+
+    if (sc->qtls == NULL) {
+        ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+        return 0;
+    }
+
+    return ossl_quic_tls_set_transport_params(sc->qtls, params, params_len);
+}
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c

index fad32a5dffc8cc9503e19abed93f966be995c542..dadc59dbb301cfa310f6c4338edd1b3ec0ea608a 100644 (file)
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3441,6 +3441,7 @@ void ssl3_free(SSL *s)
      ssl3_free_digest_list(sc);
      OPENSSL_free(sc->s3.alpn_selected);
      OPENSSL_free(sc->s3.alpn_proposed);
+    ossl_quic_tls_free(sc->qtls);
  
  #ifndef OPENSSL_NO_PSK
      OPENSSL_free(sc->s3.tmp.psk);
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c

index 3ef6afd03e6520103daec7ffa8d32cc804f89954..bf346a2cc80d11d45d377b189945a24ea59d0349 100644 (file)
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -1,6 +1,6 @@
  /*
   * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
   *
   * Licensed under the Apache License 2.0 (the "License").  You may not use
   * this file except in compliance with the License.  You can obtain a copy
@@ -16,22 +16,22 @@
  
  static const ERR_STRING_DATA SSL_str_reasons[] = {
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY),
-    "application data after close notify"},
+     "application data after close notify"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APP_DATA_IN_HANDSHAKE),
-    "app data in handshake"},
+     "app data in handshake"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT),
-    "attempt to reuse session in different context"},
+     "attempt to reuse session in different context"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE),
-    "at least (D)TLS 1.2 needed in Suite B mode"},
+     "at least (D)TLS 1.2 needed in Suite B mode"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_CERTIFICATE), "bad certificate"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_CHANGE_CIPHER_SPEC),
-    "bad change cipher spec"},
+     "bad change cipher spec"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_CIPHER), "bad cipher"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_COMPRESSION_ALGORITHM),
-    "bad compression algorithm"},
+     "bad compression algorithm"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DATA), "bad data"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK),
-    "bad data returned by callback"},
+     "bad data returned by callback"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DECOMPRESSION), "bad decompression"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DH_VALUE), "bad dh value"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DIGEST_LENGTH), "bad digest length"},
@@ -40,9 +40,9 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_ECPOINT), "bad ecpoint"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_EXTENSION), "bad extension"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_HANDSHAKE_LENGTH),
-    "bad handshake length"},
+     "bad handshake length"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_HANDSHAKE_STATE),
-    "bad handshake state"},
+     "bad handshake state"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_HELLO_REQUEST), "bad hello request"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_HRR_VERSION), "bad hrr version"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_KEY_SHARE), "bad key share"},
@@ -52,7 +52,7 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_PACKET), "bad packet"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_PACKET_LENGTH), "bad packet length"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_PROTOCOL_VERSION_NUMBER),
-    "bad protocol version number"},
+     "bad protocol version number"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_PSK), "bad psk"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_PSK_IDENTITY), "bad psk identity"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_RECORD_TYPE), "bad record type"},
@@ -62,560 +62,562 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SRP_PARAMETERS), "bad srp parameters"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SRTP_MKI_VALUE), "bad srtp mki value"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST),
-    "bad srtp protection profile list"},
+     "bad srtp protection profile list"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SSL_FILETYPE), "bad ssl filetype"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_VALUE), "bad value"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_WRITE_RETRY), "bad write retry"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BINDER_DOES_NOT_VERIFY),
-    "binder does not verify"},
+     "binder does not verify"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BIO_NOT_SET), "bio not set"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG),
-    "block cipher pad is wrong"},
+     "block cipher pad is wrong"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BN_LIB), "bn lib"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CALLBACK_FAILED), "callback failed"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CANNOT_CHANGE_CIPHER),
-    "cannot change cipher"},
+     "cannot change cipher"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CANNOT_GET_GROUP_NAME),
-    "cannot get group name"},
+     "cannot get group name"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CA_DN_LENGTH_MISMATCH),
-    "ca dn length mismatch"},
+     "ca dn length mismatch"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CA_KEY_TOO_SMALL), "ca key too small"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CA_MD_TOO_WEAK), "ca md too weak"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CCS_RECEIVED_EARLY), "ccs received early"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CERTIFICATE_VERIFY_FAILED),
-    "certificate verify failed"},
+     "certificate verify failed"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CERT_CB_ERROR), "cert cb error"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CERT_LENGTH_MISMATCH),
-    "cert length mismatch"},
+     "cert length mismatch"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED),
-    "ciphersuite digest has changed"},
+     "ciphersuite digest has changed"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CIPHER_CODE_WRONG_LENGTH),
-    "cipher code wrong length"},
+     "cipher code wrong length"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CLIENTHELLO_TLSEXT), "clienthello tlsext"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSED_LENGTH_TOO_LONG),
-    "compressed length too long"},
+     "compressed length too long"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSION_DISABLED),
-    "compression disabled"},
+     "compression disabled"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSION_FAILURE),
-    "compression failure"},
+     "compression failure"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE),
-    "compression id not within private range"},
+     "compression id not within private range"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSION_LIBRARY_ERROR),
-    "compression library error"},
+     "compression library error"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CONNECTION_TYPE_NOT_SET),
-    "connection type not set"},
+     "connection type not set"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CONN_USE_ONLY), "conn use only"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CONTEXT_NOT_DANE_ENABLED),
-    "context not dane enabled"},
+     "context not dane enabled"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COOKIE_GEN_CALLBACK_FAILURE),
-    "cookie gen callback failure"},
+     "cookie gen callback failure"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COOKIE_MISMATCH), "cookie mismatch"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COPY_PARAMETERS_FAILED),
-    "copy parameters failed"},
+     "copy parameters failed"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED),
-    "custom ext handler already installed"},
+     "custom ext handler already installed"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_ALREADY_ENABLED),
-    "dane already enabled"},
+     "dane already enabled"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_CANNOT_OVERRIDE_MTYPE_FULL),
-    "dane cannot override mtype full"},
+     "dane cannot override mtype full"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_NOT_ENABLED), "dane not enabled"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_TLSA_BAD_CERTIFICATE),
-    "dane tlsa bad certificate"},
+     "dane tlsa bad certificate"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_TLSA_BAD_CERTIFICATE_USAGE),
-    "dane tlsa bad certificate usage"},
+     "dane tlsa bad certificate usage"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_TLSA_BAD_DATA_LENGTH),
-    "dane tlsa bad data length"},
+     "dane tlsa bad data length"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_TLSA_BAD_DIGEST_LENGTH),
-    "dane tlsa bad digest length"},
+     "dane tlsa bad digest length"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_TLSA_BAD_MATCHING_TYPE),
-    "dane tlsa bad matching type"},
+     "dane tlsa bad matching type"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_TLSA_BAD_PUBLIC_KEY),
-    "dane tlsa bad public key"},
+     "dane tlsa bad public key"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_TLSA_BAD_SELECTOR),
-    "dane tlsa bad selector"},
+     "dane tlsa bad selector"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DANE_TLSA_NULL_DATA),
-    "dane tlsa null data"},
+     "dane tlsa null data"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DATA_BETWEEN_CCS_AND_FINISHED),
-    "data between ccs and finished"},
+     "data between ccs and finished"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DATA_LENGTH_TOO_LONG),
-    "data length too long"},
+     "data length too long"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DECRYPTION_FAILED), "decryption failed"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC),
-    "decryption failed or bad record mac"},
+     "decryption failed or bad record mac"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DH_KEY_TOO_SMALL), "dh key too small"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG),
-    "dh public value length is wrong"},
+     "dh public value length is wrong"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DIGEST_CHECK_FAILED),
-    "digest check failed"},
+     "digest check failed"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DTLS_MESSAGE_TOO_BIG),
-    "dtls message too big"},
+     "dtls message too big"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DUPLICATE_COMPRESSION_ID),
-    "duplicate compression id"},
+     "duplicate compression id"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ECC_CERT_NOT_FOR_SIGNING),
-    "ecc cert not for signing"},
+     "ecc cert not for signing"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE),
-    "ecdh required for suiteb mode"},
+     "ecdh required for suiteb mode"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EE_KEY_TOO_SMALL), "ee key too small"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EMPTY_RAW_PUBLIC_KEY),
-    "empty raw public key"},
+     "empty raw public key"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST),
-    "empty srtp protection profile list"},
+     "empty srtp protection profile list"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ENCRYPTED_LENGTH_TOO_LONG),
-    "encrypted length too long"},
+     "encrypted length too long"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST),
-    "error in received cipher list"},
+     "error in received cipher list"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_IN_SYSTEM_DEFAULT_CONFIG),
-    "error in system default config"},
+     "error in system default config"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN),
-    "error setting tlsa base domain"},
+     "error setting tlsa base domain"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE),
-    "exceeds max fragment size"},
+     "exceeds max fragment size"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EXCESSIVE_MESSAGE_SIZE),
-    "excessive message size"},
+     "excessive message size"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EXTENSION_NOT_RECEIVED),
-    "extension not received"},
+     "extension not received"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EXTRA_DATA_IN_MESSAGE),
-    "extra data in message"},
+     "extra data in message"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EXT_LENGTH_MISMATCH),
-    "ext length mismatch"},
+     "ext length mismatch"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_FAILED_TO_GET_PARAMETER),
-    "failed to get parameter"},
+     "failed to get parameter"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_FAILED_TO_INIT_ASYNC),
-    "failed to init async"},
+     "failed to init async"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_FEATURE_NEGOTIATION_NOT_COMPLETE),
-    "feature negotiation not complete"},
+     "feature negotiation not complete"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_FEATURE_NOT_RENEGOTIABLE),
-    "feature not renegotiable"},
+     "feature not renegotiable"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_FRAGMENTED_CLIENT_HELLO),
-    "fragmented client hello"},
+     "fragmented client hello"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_GOT_A_FIN_BEFORE_A_CCS),
-    "got a fin before a ccs"},
+     "got a fin before a ccs"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_HTTPS_PROXY_REQUEST),
-    "https proxy request"},
+     "https proxy request"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_HTTP_REQUEST), "http request"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ILLEGAL_POINT_COMPRESSION),
-    "illegal point compression"},
+     "illegal point compression"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ILLEGAL_SUITEB_DIGEST),
-    "illegal Suite B digest"},
+     "illegal Suite B digest"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INAPPROPRIATE_FALLBACK),
-    "inappropriate fallback"},
+     "inappropriate fallback"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INCONSISTENT_COMPRESSION),
-    "inconsistent compression"},
+     "inconsistent compression"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INCONSISTENT_EARLY_DATA_ALPN),
-    "inconsistent early data alpn"},
+     "inconsistent early data alpn"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INCONSISTENT_EARLY_DATA_SNI),
-    "inconsistent early data sni"},
+     "inconsistent early data sni"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INCONSISTENT_EXTMS), "inconsistent extms"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INSUFFICIENT_SECURITY),
-    "insufficient security"},
+     "insufficient security"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_ALERT), "invalid alert"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_CCS_MESSAGE),
-    "invalid ccs message"},
+     "invalid ccs message"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_CERTIFICATE_OR_ALG),
-    "invalid certificate or alg"},
+     "invalid certificate or alg"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_COMMAND), "invalid command"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_COMPRESSION_ALGORITHM),
-    "invalid compression algorithm"},
+     "invalid compression algorithm"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_CONFIG), "invalid config"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_CONFIGURATION_NAME),
-    "invalid configuration name"},
+     "invalid configuration name"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_CONTEXT), "invalid context"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_CT_VALIDATION_TYPE),
-    "invalid ct validation type"},
+     "invalid ct validation type"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_KEY_UPDATE_TYPE),
-    "invalid key update type"},
+     "invalid key update type"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_MAX_EARLY_DATA),
-    "invalid max early data"},
+     "invalid max early data"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_NULL_CMD_NAME),
-    "invalid null cmd name"},
+     "invalid null cmd name"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_RAW_PUBLIC_KEY),
-    "invalid raw public key"},
+     "invalid raw public key"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_RECORD), "invalid record"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_SEQUENCE_NUMBER),
-    "invalid sequence number"},
+     "invalid sequence number"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_SERVERINFO_DATA),
-    "invalid serverinfo data"},
+     "invalid serverinfo data"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_SESSION_ID), "invalid session id"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_SRP_USERNAME),
-    "invalid srp username"},
+     "invalid srp username"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_STATUS_RESPONSE),
-    "invalid status response"},
+     "invalid status response"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_TICKET_KEYS_LENGTH),
-    "invalid ticket keys length"},
+     "invalid ticket keys length"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED),
-    "legacy sigalg disallowed or unsupported"},
+     "legacy sigalg disallowed or unsupported"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LENGTH_MISMATCH), "length mismatch"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LENGTH_TOO_LONG), "length too long"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LENGTH_TOO_SHORT), "length too short"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LIBRARY_BUG), "library bug"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LIBRARY_HAS_NO_CIPHERS),
-    "library has no ciphers"},
+     "library has no ciphers"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MAXIMUM_ENCRYPTED_PKTS_REACHED),
-    "maximum encrypted pkts reached"},
+     "maximum encrypted pkts reached"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_DSA_SIGNING_CERT),
-    "missing dsa signing cert"},
+     "missing dsa signing cert"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_ECDSA_SIGNING_CERT),
-    "missing ecdsa signing cert"},
+     "missing ecdsa signing cert"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_FATAL), "missing fatal"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_PARAMETERS), "missing parameters"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_PSK_KEX_MODES_EXTENSION),
-    "missing psk kex modes extension"},
+     "missing psk kex modes extension"},
+    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_QUIC_TLS_FUNCTIONS),
+     "missing quic tls functions"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_RSA_CERTIFICATE),
-    "missing rsa certificate"},
+     "missing rsa certificate"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_RSA_ENCRYPTING_CERT),
-    "missing rsa encrypting cert"},
+     "missing rsa encrypting cert"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_RSA_SIGNING_CERT),
-    "missing rsa signing cert"},
+     "missing rsa signing cert"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_SIGALGS_EXTENSION),
-    "missing sigalgs extension"},
+     "missing sigalgs extension"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_SIGNING_CERT),
-    "missing signing cert"},
+     "missing signing cert"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_SRP_PARAM),
-    "can't find SRP server param"},
+     "can't find SRP server param"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION),
-    "missing supported groups extension"},
+     "missing supported groups extension"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_SUPPORTED_VERSIONS_EXTENSION),
-    "missing supported versions extension"},
+     "missing supported versions extension"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_DH_KEY), "missing tmp dh key"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_ECDH_KEY),
-    "missing tmp ecdh key"},
+     "missing tmp ecdh key"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA),
-    "mixed handshake and non handshake data"},
+     "mixed handshake and non handshake data"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_ON_RECORD_BOUNDARY),
-    "not on record boundary"},
+     "not on record boundary"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_REPLACING_CERTIFICATE),
-    "not replacing certificate"},
+     "not replacing certificate"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_SERVER), "not server"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_APPLICATION_PROTOCOL),
-    "no application protocol"},
+     "no application protocol"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CERTIFICATES_RETURNED),
-    "no certificates returned"},
+     "no certificates returned"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CERTIFICATE_ASSIGNED),
-    "no certificate assigned"},
+     "no certificate assigned"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CERTIFICATE_SET), "no certificate set"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CHANGE_FOLLOWING_HRR),
-    "no change following hrr"},
+     "no change following hrr"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CIPHERS_AVAILABLE),
-    "no ciphers available"},
+     "no ciphers available"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CIPHERS_SPECIFIED),
-    "no ciphers specified"},
+     "no ciphers specified"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CIPHER_MATCH), "no cipher match"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CLIENT_CERT_METHOD),
-    "no client cert method"},
+     "no client cert method"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_COMPRESSION_SPECIFIED),
-    "no compression specified"},
+     "no compression specified"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_COOKIE_CALLBACK_SET),
-    "no cookie callback set"},
+     "no cookie callback set"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
-    "Peer haven't sent GOST certificate, required for selected ciphersuite"},
+     "Peer haven't sent GOST certificate, required for selected ciphersuite"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_METHOD_SPECIFIED),
-    "no method specified"},
+     "no method specified"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_PEM_EXTENSIONS), "no pem extensions"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_PRIVATE_KEY_ASSIGNED),
-    "no private key assigned"},
+     "no private key assigned"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_PROTOCOLS_AVAILABLE),
-    "no protocols available"},
+     "no protocols available"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_RENEGOTIATION), "no renegotiation"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_REQUIRED_DIGEST), "no required digest"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SHARED_CIPHER), "no shared cipher"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SHARED_GROUPS), "no shared groups"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS),
-    "no shared signature algorithms"},
+     "no shared signature algorithms"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SRTP_PROFILES), "no srtp profiles"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_STREAM), "no stream"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SUITABLE_DIGEST_ALGORITHM),
-    "no suitable digest algorithm"},
+     "no suitable digest algorithm"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SUITABLE_GROUPS), "no suitable groups"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SUITABLE_KEY_SHARE),
-    "no suitable key share"},
+     "no suitable key share"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SUITABLE_RECORD_LAYER),
-    "no suitable record layer"},
+     "no suitable record layer"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM),
-    "no suitable signature algorithm"},
+     "no suitable signature algorithm"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_VALID_SCTS), "no valid scts"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_VERIFY_COOKIE_CALLBACK),
-    "no verify cookie callback"},
+     "no verify cookie callback"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NULL_SSL_CTX), "null ssl ctx"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NULL_SSL_METHOD_PASSED),
-    "null ssl method passed"},
+     "null ssl method passed"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_OCSP_CALLBACK_FAILURE),
-    "ocsp callback failure"},
+     "ocsp callback failure"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED),
-    "old session cipher not returned"},
+     "old session cipher not returned"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED),
-    "old session compression algorithm not returned"},
+     "old session compression algorithm not returned"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_OVERFLOW_ERROR), "overflow error"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PACKET_LENGTH_TOO_LONG),
-    "packet length too long"},
+     "packet length too long"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PARSE_TLSEXT), "parse tlsext"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PATH_TOO_LONG), "path too long"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE),
-    "peer did not return a certificate"},
+     "peer did not return a certificate"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PEM_NAME_BAD_PREFIX),
-    "pem name bad prefix"},
+     "pem name bad prefix"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PEM_NAME_TOO_SHORT), "pem name too short"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PIPELINE_FAILURE), "pipeline failure"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_POLL_REQUEST_NOT_SUPPORTED),
-    "poll request not supported"},
+     "poll request not supported"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR),
-    "post handshake auth encoding err"},
+     "post handshake auth encoding err"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PRIVATE_KEY_MISMATCH),
-    "private key mismatch"},
+     "private key mismatch"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PROTOCOL_IS_SHUTDOWN),
-    "protocol is shutdown"},
+     "protocol is shutdown"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PSK_IDENTITY_NOT_FOUND),
-    "psk identity not found"},
+     "psk identity not found"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PSK_NO_CLIENT_CB), "psk no client cb"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PSK_NO_SERVER_CB), "psk no server cb"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_QUIC_HANDSHAKE_LAYER_ERROR),
-    "quic handshake layer error"},
+     "quic handshake layer error"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_QUIC_NETWORK_ERROR), "quic network error"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_QUIC_PROTOCOL_ERROR),
-    "quic protocol error"},
+     "quic protocol error"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_READ_BIO_NOT_SET), "read bio not set"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_READ_TIMEOUT_EXPIRED),
-    "read timeout expired"},
+     "read timeout expired"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RECORDS_NOT_RELEASED),
-    "records not released"},
+     "records not released"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RECORD_LAYER_FAILURE),
-    "record layer failure"},
+     "record layer failure"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RECORD_LENGTH_MISMATCH),
-    "record length mismatch"},
+     "record length mismatch"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RECORD_TOO_SMALL), "record too small"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_REMOTE_PEER_ADDRESS_NOT_SET),
-    "remote peer address not set"},
+     "remote peer address not set"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RENEGOTIATE_EXT_TOO_LONG),
-    "renegotiate ext too long"},
+     "renegotiate ext too long"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RENEGOTIATION_ENCODING_ERR),
-    "renegotiation encoding err"},
+     "renegotiation encoding err"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RENEGOTIATION_MISMATCH),
-    "renegotiation mismatch"},
+     "renegotiation mismatch"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_REQUEST_PENDING), "request pending"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_REQUEST_SENT), "request sent"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_REQUIRED_CIPHER_MISSING),
-    "required cipher missing"},
+     "required cipher missing"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING),
-    "required compression algorithm missing"},
+     "required compression algorithm missing"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING),
-    "scsv received when renegotiating"},
+     "scsv received when renegotiating"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SCT_VERIFICATION_FAILED),
-    "sct verification failed"},
+     "sct verification failed"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SEQUENCE_CTR_WRAPPED),
-    "sequence ctr wrapped"},
+     "sequence ctr wrapped"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SERVERHELLO_TLSEXT), "serverhello tlsext"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),
-    "session id context uninitialized"},
+     "session id context uninitialized"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SHUTDOWN_WHILE_IN_INIT),
-    "shutdown while in init"},
+     "shutdown while in init"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SIGNATURE_ALGORITHMS_ERROR),
-    "signature algorithms error"},
+     "signature algorithms error"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),
-    "signature for non signing certificate"},
+     "signature for non signing certificate"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SRP_A_CALC), "error with the srp params"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES),
-    "srtp could not allocate profiles"},
+     "srtp could not allocate profiles"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG),
-    "srtp protection profile list too long"},
+     "srtp protection profile list too long"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE),
-    "srtp unknown protection profile"},
+     "srtp unknown protection profile"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH),
-    "ssl3 ext invalid max fragment length"},
+     "ssl3 ext invalid max fragment length"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL3_EXT_INVALID_SERVERNAME),
-    "ssl3 ext invalid servername"},
+     "ssl3 ext invalid servername"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE),
-    "ssl3 ext invalid servername type"},
+     "ssl3 ext invalid servername type"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL3_SESSION_ID_TOO_LONG),
-    "ssl3 session id too long"},
+     "ssl3 session id too long"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_BAD_CERTIFICATE),
-    "ssl/tls alert bad certificate"},
+     "ssl/tls alert bad certificate"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_BAD_RECORD_MAC),
-    "ssl/tls alert bad record mac"},
+     "ssl/tls alert bad record mac"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED),
-    "ssl/tls alert certificate expired"},
+     "ssl/tls alert certificate expired"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED),
-    "ssl/tls alert certificate revoked"},
+     "ssl/tls alert certificate revoked"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN),
-    "ssl/tls alert certificate unknown"},
+     "ssl/tls alert certificate unknown"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE),
-    "ssl/tls alert decompression failure"},
+     "ssl/tls alert decompression failure"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE),
-    "ssl/tls alert handshake failure"},
+     "ssl/tls alert handshake failure"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER),
-    "ssl/tls alert illegal parameter"},
+     "ssl/tls alert illegal parameter"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_NO_CERTIFICATE),
-    "ssl/tls alert no certificate"},
+     "ssl/tls alert no certificate"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE),
-    "ssl/tls alert unexpected message"},
+     "ssl/tls alert unexpected message"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE),
-    "ssl/tls alert unsupported certificate"},
+     "ssl/tls alert unsupported certificate"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_COMMAND_SECTION_EMPTY),
-    "ssl command section empty"},
+     "ssl command section empty"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_COMMAND_SECTION_NOT_FOUND),
-    "ssl command section not found"},
+     "ssl command section not found"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION),
-    "ssl ctx has no default ssl version"},
+     "ssl ctx has no default ssl version"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_HANDSHAKE_FAILURE),
-    "ssl handshake failure"},
+     "ssl handshake failure"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS),
-    "ssl library has no ciphers"},
+     "ssl library has no ciphers"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_NEGATIVE_LENGTH),
-    "ssl negative length"},
+     "ssl negative length"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SECTION_EMPTY), "ssl section empty"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SECTION_NOT_FOUND),
-    "ssl section not found"},
+     "ssl section not found"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_ID_CALLBACK_FAILED),
-    "ssl session id callback failed"},
+     "ssl session id callback failed"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_ID_CONFLICT),
-    "ssl session id conflict"},
+     "ssl session id conflict"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG),
-    "ssl session id context too long"},
+     "ssl session id context too long"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH),
-    "ssl session id has bad length"},
+     "ssl session id has bad length"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_ID_TOO_LONG),
-    "ssl session id too long"},
+     "ssl session id too long"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_VERSION_MISMATCH),
-    "ssl session version mismatch"},
+     "ssl session version mismatch"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_STILL_IN_INIT), "still in init"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_STREAM_COUNT_LIMITED),
-    "stream count limited"},
+     "stream count limited"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_STREAM_FINISHED), "stream finished"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_STREAM_RECV_ONLY), "stream recv only"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_STREAM_RESET), "stream reset"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_STREAM_SEND_ONLY), "stream send only"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED),
-    "tlsv13 alert certificate required"},
+     "tlsv13 alert certificate required"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV13_ALERT_MISSING_EXTENSION),
-    "tlsv13 alert missing extension"},
+     "tlsv13 alert missing extension"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_ACCESS_DENIED),
-    "tlsv1 alert access denied"},
+     "tlsv1 alert access denied"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_DECODE_ERROR),
-    "tlsv1 alert decode error"},
+     "tlsv1 alert decode error"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),
-    "tlsv1 alert decryption failed"},
+     "tlsv1 alert decryption failed"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_DECRYPT_ERROR),
-    "tlsv1 alert decrypt error"},
+     "tlsv1 alert decrypt error"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),
-    "tlsv1 alert export restriction"},
+     "tlsv1 alert export restriction"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK),
-    "tlsv1 alert inappropriate fallback"},
+     "tlsv1 alert inappropriate fallback"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),
-    "tlsv1 alert insufficient security"},
+     "tlsv1 alert insufficient security"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_INTERNAL_ERROR),
-    "tlsv1 alert internal error"},
+     "tlsv1 alert internal error"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_NO_APPLICATION_PROTOCOL),
-    "tlsv1 alert no application protocol"},
+     "tlsv1 alert no application protocol"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),
-    "tlsv1 alert no renegotiation"},
+     "tlsv1 alert no renegotiation"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_PROTOCOL_VERSION),
-    "tlsv1 alert protocol version"},
+     "tlsv1 alert protocol version"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_RECORD_OVERFLOW),
-    "tlsv1 alert record overflow"},
+     "tlsv1 alert record overflow"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_UNKNOWN_CA),
-    "tlsv1 alert unknown ca"},
+     "tlsv1 alert unknown ca"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_UNKNOWN_PSK_IDENTITY),
-    "tlsv1 alert unknown psk identity"},
+     "tlsv1 alert unknown psk identity"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_USER_CANCELLED),
-    "tlsv1 alert user cancelled"},
+     "tlsv1 alert user cancelled"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE),
-    "tlsv1 bad certificate hash value"},
+     "tlsv1 bad certificate hash value"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE),
-    "tlsv1 bad certificate status response"},
+     "tlsv1 bad certificate status response"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE),
-    "tlsv1 certificate unobtainable"},
+     "tlsv1 certificate unobtainable"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_UNRECOGNIZED_NAME),
-    "tlsv1 unrecognized name"},
+     "tlsv1 unrecognized name"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_UNSUPPORTED_EXTENSION),
-    "tlsv1 unsupported extension"},
+     "tlsv1 unsupported extension"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL),
-    "tls illegal exporter label"},
+     "tls illegal exporter label"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST),
-    "tls invalid ecpointformat list"},
+     "tls invalid ecpointformat list"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TOO_MANY_KEY_UPDATES),
-    "too many key updates"},
+     "too many key updates"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TOO_MANY_WARN_ALERTS),
-    "too many warn alerts"},
+     "too many warn alerts"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TOO_MUCH_EARLY_DATA),
-    "too much early data"},
+     "too much early data"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS),
-    "unable to find ecdh parameters"},
+     "unable to find ecdh parameters"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS),
-    "unable to find public key parameters"},
+     "unable to find public key parameters"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES),
-    "unable to load ssl3 md5 routines"},
+     "unable to load ssl3 md5 routines"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES),
-    "unable to load ssl3 sha1 routines"},
+     "unable to load ssl3 sha1 routines"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_CCS_MESSAGE),
-    "unexpected ccs message"},
+     "unexpected ccs message"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA),
-    "unexpected end of early data"},
+     "unexpected end of early data"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_EOF_WHILE_READING),
-    "unexpected eof while reading"},
+     "unexpected eof while reading"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "unexpected message"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "unexpected record"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_CERTIFICATE_TYPE),
-    "unknown certificate type"},
+     "unknown certificate type"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_CIPHER_RETURNED),
-    "unknown cipher returned"},
+     "unknown cipher returned"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_CIPHER_TYPE),
-    "unknown cipher type"},
+     "unknown cipher type"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_CMD_NAME), "unknown cmd name"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_COMMAND), "unknown command"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_DIGEST), "unknown digest"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE),
-    "unknown key exchange type"},
+     "unknown key exchange type"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_MANDATORY_PARAMETER),
-    "unknown mandatory parameter"},
+     "unknown mandatory parameter"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_PKEY_TYPE), "unknown pkey type"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_PROTOCOL), "unknown protocol"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_SSL_VERSION),
-    "unknown ssl version"},
+     "unknown ssl version"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_STATE), "unknown state"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),
-    "unsafe legacy renegotiation disabled"},
+     "unsafe legacy renegotiation disabled"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSOLICITED_EXTENSION),
-    "unsolicited extension"},
+     "unsolicited extension"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),
-    "unsupported compression algorithm"},
+     "unsupported compression algorithm"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_CONFIG_VALUE),
-    "unsupported config value"},
+     "unsupported config value"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_CONFIG_VALUE_CLASS),
-    "unsupported config value class"},
+     "unsupported config value class"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_CONFIG_VALUE_OP),
-    "unsupported config value op"},
+     "unsupported config value op"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE),
-    "unsupported elliptic curve"},
+     "unsupported elliptic curve"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_PROTOCOL),
-    "unsupported protocol"},
+     "unsupported protocol"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_SSL_VERSION),
-    "unsupported ssl version"},
+     "unsupported ssl version"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_STATUS_TYPE),
-    "unsupported status type"},
+     "unsupported status type"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_WRITE_FLAG),
-    "unsupported write flag"},
+     "unsupported write flag"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_USE_SRTP_NOT_NEGOTIATED),
-    "use srtp not negotiated"},
+     "use srtp not negotiated"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_VERSION_TOO_HIGH), "version too high"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_VERSION_TOO_LOW), "version too low"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_CERTIFICATE_TYPE),
-    "wrong certificate type"},
+     "wrong certificate type"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_CIPHER_RETURNED),
-    "wrong cipher returned"},
+     "wrong cipher returned"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_CURVE), "wrong curve"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_RPK_TYPE), "wrong rpk type"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_SIGNATURE_LENGTH),
-    "wrong signature length"},
+     "wrong signature length"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_SIGNATURE_SIZE),
-    "wrong signature size"},
+     "wrong signature size"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_SIGNATURE_TYPE),
-    "wrong signature type"},
+     "wrong signature type"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_SSL_VERSION), "wrong ssl version"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_VERSION_NUMBER),
-    "wrong version number"},
+     "wrong version number"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_X509_LIB), "x509 lib"},
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS),
-    "x509 verification setup problems"},
+     "x509 verification setup problems"},
      {0, NULL}
  };
  
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h

index 270e8c28539186bfb6047cb50290aa244afdc5d0..ec8d934f32ea28ce9758230139000e4c321e7a33 100644 (file)
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -38,6 +38,7 @@
  # include "internal/ssl.h"
  # include "internal/cryptlib.h"
  # include "record/record.h"
+# include "internal/quic_predef.h"
  
  # ifdef OPENSSL_BUILD_SHLIBSSL
  #  undef OPENSSL_EXTERN
@@ -1197,6 +1198,21 @@ struct ssl_ctx_st {
  # endif
  };
  
+typedef struct ossl_quic_tls_callbacks_st {
+    int (*crypto_send_cb)(SSL *s, const unsigned char *buf, size_t buf_len,
+                          size_t *consumed, void *arg);
+    int (*crypto_recv_rcd_cb)(SSL *s, const unsigned char **buf,
+                              size_t *bytes_read, void *arg);
+    int (*crypto_release_rcd_cb)(SSL *s, size_t bytes_read, void *arg);
+    int (*yield_secret_cb)(SSL *s, uint32_t prot_level, int direction,
+                           const unsigned char *secret, size_t secret_len,
+                           void *arg);
+    int (*got_transport_params_cb)(SSL *s, const unsigned char *params,
+                                   size_t params_len,
+                                   void *arg);
+    int (*alert_cb)(SSL *s, unsigned char alert_code, void *arg);
+} OSSL_QUIC_TLS_CALLBACKS;
+
  typedef struct cert_pkey_st CERT_PKEY;
  
  #define SSL_TYPE_SSL_CONNECTION  0
@@ -1280,6 +1296,11 @@ struct ssl_connection_st {
  
      size_t ssl_pkey_num;
  
+    /* QUIC TLS fields */
+    OSSL_QUIC_TLS_CALLBACKS qtcb;
+    void *qtarg;
+    QUIC_TLS *qtls;
+
      struct {
          long flags;
          unsigned char server_random[SSL3_RANDOM_SIZE];
diff --git a/ssl/sslerr.h b/ssl/sslerr.h

index 7d2bbd6c4e637619ade044453b92db7ade613560..14644f429de87115b04b10dbcc474a14ed63d160 100644 (file)
--- a/ssl/sslerr.h
+++ b/ssl/sslerr.h
@@ -1,6 +1,6 @@
  /*
   * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
   *
   * Licensed under the Apache License 2.0 (the "License").  You may not use
   * this file except in compliance with the License.  You can obtain a copy
diff --git a/util/libssl.num b/util/libssl.num

index f1daba1d1bea5796fa037ef5ee1f71d874e8c24f..fcb0c7ee76fa333268ae88b894fd07b7e3eee543 100644 (file)
--- a/util/libssl.num
+++ b/util/libssl.num
@@ -587,3 +587,5 @@ SSL_CTX_flush_sessions_ex               587 3_4_0   EXIST::FUNCTION:
  SSL_CTX_set_block_padding_ex            588    3_4_0   EXIST::FUNCTION:
  SSL_set_block_padding_ex                589    3_4_0   EXIST::FUNCTION:
  SSL_get1_builtin_sigalgs                590    3_4_0   EXIST::FUNCTION:
+SSL_set_quic_tls_cbs                    ?      3_5_0   EXIST::FUNCTION:
+SSL_set_quic_tls_transport_params       ?      3_5_0   EXIST::FUNCTION:
author	Matt Caswell <matt@openssl.org>
	Tue, 20 Aug 2024 14:09:17 +0000 (15:09 +0100)
committer	Matt Caswell <matt@openssl.org>
	Tue, 11 Feb 2025 17:17:10 +0000 (17:17 +0000)
crypto/err/openssl.txt		patch \| blob \| blame \| history
include/internal/quic_tls.h		patch \| blob \| blame \| history
include/internal/recordmethod.h		patch \| blob \| blame \| history
include/openssl/core_dispatch.h		patch \| blob \| blame \| history
include/openssl/ssl.h.in		patch \| blob \| blame \| history
include/openssl/sslerr.h		patch \| blob \| blame \| history
ssl/quic/build.info		patch \| blob \| blame \| history
ssl/quic/quic_channel.c		patch \| blob \| blame \| history
ssl/quic/quic_tls.c		patch \| blob \| blame \| history
ssl/quic/quic_tls_api.c	[new file with mode: 0644]	patch \| blob
ssl/s3_lib.c		patch \| blob \| blame \| history
ssl/ssl_err.c		patch \| blob \| blame \| history
ssl/ssl_local.h		patch \| blob \| blame \| history
ssl/sslerr.h		patch \| blob \| blame \| history
util/libssl.num		patch \| blob \| blame \| history